You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

110 lines
3.6 KiB

  1. upstream app_server {
  2. server unix:/run/gunicorn/socket fail_timeout=0;
  3. }
  4. # define map to set Expires+Cache-Control headers for files based on type
  5. map $sent_http_content_type $expires_type_map {
  6. default off;
  7. text/css max;
  8. application/javascript max;
  9. image/x-icon 1d;
  10. ~image/ max;
  11. }
  12. server {
  13. # block bots that don't obey robots.txt
  14. if ($http_user_agent ~* (SemrushBot)) {
  15. return 403;
  16. }
  17. # remove trailing slash from addresses, the $port thing is a hack for
  18. # development in Vagrant, so the port forwarding from the host is kept
  19. set $port '';
  20. if ($http_host ~ :(\d+)$) {
  21. set $port :$1;
  22. }
  23. rewrite ^/(.*)/$ https://$host$port/$1 permanent;
  24. # redirect /donate to the page on the Docs site
  25. rewrite ^/donate$ https://docs.tildes.net/donate redirect;
  26. # redirect /u/username to /user/username
  27. rewrite ^/u/(.*)$ https://$host$port/user/$1;
  28. listen 443 ssl http2;
  29. listen [::]:443 ssl http2;
  30. {% if nginx_enable_hsts %}
  31. add_header Strict-Transport-Security "max-age={{ hsts_max_age }}; includeSubDomains; preload" always;
  32. {% endif %}
  33. {% if nginx_enable_csp %}
  34. # Content Security Policy:
  35. # - "img-src data:" is needed for Spectre.css icons
  36. # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
  37. add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
  38. {% endif %}
  39. add_header X-Content-Type-Options "nosniff" always;
  40. add_header X-Frame-Options "DENY" always;
  41. add_header X-Xss-Protection "1; mode=block" always;
  42. add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  43. server_name {{ site_hostname }};
  44. keepalive_timeout 5;
  45. root {{ app_dir }}/static;
  46. # Block access to /metrics except from Prometheus server(s)
  47. location /metrics {
  48. {% for ip in prometheus_ips -%}
  49. allow {{ ip }};
  50. {% endfor -%}
  51. deny all;
  52. # try_files is unnecessary here, but I don't know the "proper" way
  53. try_files $uri @proxy_to_app;
  54. }
  55. # add Expires+Cache-Control headers from the mime-type map defined above
  56. expires $expires_type_map;
  57. location / {
  58. # checks for static file, if not found proxy to app
  59. try_files $uri @proxy_to_app;
  60. gzip_static on;
  61. }
  62. location @proxy_to_app {
  63. {% if nginx_enable_ratelimiting %}
  64. # apply rate-limiting, allowing a burst above the limit
  65. limit_req zone=tildes_app burst=5 nodelay;
  66. {% endif -%}
  67. # Cornice adds the X-Content-Type-Options header, so it will end up
  68. # being duplicated since nginx is also configured to send it (above).
  69. # It's better to drop the header coming from Gunicorn here than to
  70. # stop sending it in nginx, since if I ever stop using Cornice I would
  71. # lose that header (and probably not realize).
  72. proxy_hide_header X-Content-Type-Options;
  73. proxy_set_header Host $host;
  74. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  75. proxy_set_header X-Forwarded-Proto $scheme;
  76. proxy_redirect off;
  77. proxy_pass http://app_server;
  78. }
  79. }
  80. {% if nginx_redirect_www %}
  81. # redirect www. to base domain
  82. server {
  83. listen 80;
  84. listen 443 ssl http2;
  85. listen [::]:443 ssl http2;
  86. server_name www.{{ site_hostname }};
  87. return 301 https://{{ site_hostname }}$request_uri;
  88. }
  89. {% endif %}